openaienmodel: gpt-5-mini-2025-08-07
v4.12.2: Security fix for X-Forwarded-For handling in AWS Lambda (ALB)
Key Points
- Security fix for X-Forwarded-For handling
- Impacts AWS Lambda adapter behind ALB
- Upgrade to v4.12.2 recommended
Summary
v4.12.2 addresses a security issue (GHSA-xh87-mx6m-69f3) where the AWS Lambda adapter running behind an Application Load Balancer (ALB) could incorrectly handle the X-Forwarded-For header, potentially allowing IP-based access control bypass. The release reverts PR #4707 (see #4757) and applies the corrective change.
Key Points
- Security fix: correct X-Forwarded-For parsing/handling in the AWS Lambda adapter when behind ALB to prevent IP-based access control bypass.
- Advisory: GHSA-xh87-mx6m-69f3; fix authored/merged by yusukebe and EdamAme-x.
- Change: revert of PR #4707 in PR #4757 with a minimal corrective commit.
Recommended actions for engineers
- Upgrade to hono v4.12.2 immediately if you use the AWS Lambda adapter behind an ALB.
- Verify that client IP extraction and any IP-based access controls behave as expected after the upgrade.
- Audit middleware and proxy configurations that modify X-Forwarded-For to ensure the correct client IP is preserved and trusted.
- Run integration tests for ALB/Lambda deployments and update dependency lockfiles as needed.